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DETAILED ACTION 

1 . Claims 1-6 remain for examination. Tine correspondence filed 3/6/09 amended 
claim 1. 

Continued Examination Under 37 CFR 1.114 

2. A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 3/6/09 
has been entered. 

Response to Arguments 

3. Applicant's arguments with respect to claims 1-6 have been considered but are 
moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

4. The text of those sections of Title 35, U.S. Code not included in this action can 
be found In a prior Office action. 

5. Claims 1-6 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
"Intrusion Detection Using Static Analysis" (hereinafter, "Wagner") in view of "Static 



Application/Control Number: 10/697,756 Page 3 

Art Unit: 2435 

Analysis" (liereinafter, "Webb") and further in view of "Splint Manual" (hereinafter, 
"Splint") in view of U.S. Patent 6,272,641 (hereinafter, "Ji"). 

Regarding claim 1 : 

Wagner discloses a method for detecting malicious scripts using a static 
analysis, comprising the step of: checking whether a series of methods constructing a 
malicious code pattern exist (page 158, 1®' paragraph); wherein the checking step 
comprises the steps of: classifying, by modeling a malicious behavior in such a manner 
that it includes a combination of unit behaviors each of which is composed of sub-unit 
behaviors or one or more method calls, each unit behavior and method call sentence 
into a matching rule for defining sentence types to be detected in script codes and a 
relation rule for defining a relation between patterns matched so that the malicious 
behavior can be searched by rule variables used in the sentences satisfying the 
matching rule (section 4.3, "The abstract stack model", and particularly pages 160-161, 
"The context-free model"); generating instances of the matching rule by searching for 
code patterns matched with the matching rule from a relevant script code to be detected 
[i.e., actually implementing the classification step above] (Ibid, and also page 164, "6. 
Evaluation", 1®' paragraph); and generating instances of the relation rule by searching 
for instances satisfying the relation rule from a set of the generated instances of the 
matching rule (Ibid). 

Wagner does not disclose extracting parameters of functions used in the 
searched code patterns, and storing the extracted parameters in the rule variables. 
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preferring instead to implement a simpler model. Nevertheless, Webb teaches that the 
ability to statically analyze "local variables, data structures, and all other data flow" in a 
script so as to determine if the script is non-hazardous has been long since known in 
the art, and has even been realized in pre-existing products (the MALPAS system, see 
page 4/2, and in particular the "Control Flow Analyzer", "Data Use Analyzer", and 
"Information Flow Analyzer" sections). It would have been quite obvious to one of 
ordinary skill in the art at the time the invention was made to incorporate at least these 
elements of Webb's MALPAS system into the static analyzer disclosed by Wagner. 
One might be inclined to do so because it would negate the need to make simplistic 
assumptions regarding the behavior of the scripts to be tested (see Wagner, page 158, 
"4. Models", 2"^^ paragraph, noting that the conditions assumed to be true can actually 
be tested by Webb's "Data Use Analyzer"), and that a suitably modified analyzer would 
be useful to verify the correctness of many diverse and/or high integrity applications 
(Webb, page 4/3, "5. Static Analysis Experience and Applicability"). 

Neither Wagner nor Webb describe in sufficient detail whether their analyses 
checking whether parameters and return values associated between methods match 
each other. However, Splint discloses another related static analysis tool wherein that 
tool is capable of examining all the parameters and return values of functions [i.e. 
methods] and compare them to establish that no mismatch exists (pages 19-24, "4. 
Types"; see also pages 38-40, "7.3 Declaration Consistency" and "7.4 State Clauses"). 
Splint also discloses wherein said matching rule comprises rule identifiers and sentence 
patterns to be detected (Appendix C). It would have been obvious to include this feature 
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into the static analysis tools disclosed by Wagner and/or Webb, as the technique(s) 
were clearly well within the abilities of one of ordinary skill in the art at the time of the 
invention, in view of the teaching of the technique(s) in a related static analyzer tool. 

Although Examiner disagrees that Wagner fails to disclose any sort of "matching 
rules" as provided by the new limitation of the claims - particularly as the whole point is 
to match the various lexical elements generated by the abstract data model to ensure 
the script's correctness :-e.g. page 160, second column, 1st paragraph - nevertheless Ji 
discloses a related static analyzer of interpreted software (in his case, a Java program: 
col. 4, lines 1-5) wherein a Java applet is statically analyzed by analyzing a relation 
between the rule identifiers used in the sentence patterns satisfying the matching rule 
(col. 5, line 15 - col. 6, line 50); and generating instances of the relation rule inter alia 
through a relation analysis process by continuously checking whether previously 
generated instances of the relation rule associated with a currently generated instance 
of the relation rule are satisfied (Ibid). It would have been obvious to incorporate these 
elements into the static analyzers of the other prior art references as Ji discloses 
wherein his approach minimizes the amount of work needed to be performed by both 
the server and the client (col. 6, lines 48-61). 

Regarding claim 2: 

Wagner further discloses wherein the matching rule is composed of rule 
identifiers and sentence patterns constructing malicious behavior and having the same 
grammar as a language of the scripts to be detected (Figure 2) 



Application/Control Number: 10/697,756 Page 6 

Art Unit: 2435 

Regarding claim 3: 

Wagner and Splint further discloses wherein the relation rule further includes 
preconditions in which conditions should be satisfied prior to the conditions in the 
conditional expressions are described, and the action expressions describe contents 
that will be executed when both the conditional expressions and the preconditions are 
satisfied (Wagner: page 162, "Principle 1" and subsequent paragraphs, and Figure 2; 
Splint: sections 7.3 "Declaration Consistency" and 7.5 "Requires and Ensures 
Clauses"). 
Regarding claim 4: 

Wagner further discloses converting the script into a format suitable for static 
analysis (Figure 2). 
Regarding claim 5: 

Splint further discloses the step of reporting identified instances of the matching 
rule and relation rule in a result report process (see the "Running Splint" column of 
Figures 1-24; and page 11, "1.1 Warnings"). 
Regarding claim 6: 

Wagner and Splint disclose wherein the relation rule comprises conditional 
expressions in which conditions satisfying the relevant rule are described, and action 
expressions in which contents to be executed are described when the conditions in the 
conditional expressions are satisfied (Wagner: Figure 2; Splint: page 41, "7.5 Requires 
and Ensures Clauses"). 
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Conclusion 

6. Any inquiry concerning this communication or earlier communications from tine 
examiner should be directed to Thomas Gyorfi whose telephone number is (571)272- 
3849. The examiner can normally be reached on 8:30am - 5:00pm Monday - Friday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (571 ) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

TAG 
5/21/09 
/Kimyen Vu/ 

Supervisory Patent Examiner, Art Unit 2435 



